Onboard Prisma Access Browser on the Strata Cloud Manager
Focus
Focus
Prisma Access Browser

Onboard Prisma Access Browser on the Strata Cloud Manager

Table of Contents

Onboard Prisma Access Browser on the Strata Cloud Manager

Learn how to onboard Prisma Access Secure Enterprise Browser (Prisma Access Browser) on the Strata Cloud Manager and integrate with Prisma Access.
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • Prisma Access with Prisma Access Browser bundle license
  • Superuser or Prisma Access Browser role
See the prerequisites before you begin this task.

Complete the Pre-Onboarding Tasks

Before onboarding Prisma Access Browser, there are a couple tasks that you must perform before you can proceed.
  1. Define the Cloud Identity Engine entities. This can be configured by using the Cloud Identity Engine that you selected during the activation process.
  2. You need the Authentication profile and the User groups that are part of your onboarding process. These are configured in the Cloud Identity Engine. For more information, refer to the Authentication profile and User groups.
    You can only have one Authentication Profile. If you use more than one Identity Provider (IdP), you can configure multiple IdPs per profile. This can be done with the Authentication Mode choice of Multiple when you configure the Authentication Profile.

Add IdP Configuration

You can use your current SAML IdP provider to manage a single set of login credentials in your network. The IdP configuration is a component of the Cloud Identity Engine, and you can manage it within that tool.
  1. In the Cloud Identity Engine, select Authentication Type.
  2. Click Add New Authentication Type.
    When you use the IdP provider’s information to populate your user groups, you need to make sure to correctly enter a valid email address. The UPN isn't sufficient.
  3. In the Set Up Authentication Type, click SAML 2.0 Set Up.
  4. To continue configuring your SAML Authenticator, refer to Configure a SAML 2.0 Authentication Type in the Cloud Identity Engine.
  5. (Optional) Use Google Workspace Integration.

Onboard the Prisma Access Browser

After you do the pre-onboarding steps, you can onboard the Prisma Access Browser on the Strata Cloud Manager.
You need to activate and configure the Prisma Access Browser in the Strata Cloud Manager before you can add users. In general, this is a one-time procedure that you only need to perform once after Activation, however you can return to perform these tasks anytime you need to modify them.
There is a Wizard that you can use for this process, and you can modify the global configuration at any time. The Wizard provides detailed instructions on completing each step of the integration.
The controls that you see depend on your Prisma Access Browser license; not all the Onboarding functionality in the Strata Cloud Manager is available for all licenses.
From the Strata Cloud Manager, select WorkflowsPrisma Access SetupPrisma Access Browser.

Step 1 - Users

Define the user authentication method and onboard User groups.
  1. From the dropdown list, select the CIE profile that will be used for User Authentication.
  2. From the User groups dropdown list, select the User groups that will be able to access Prisma Access Browser.
  3. Next: Prisma Access Integration.

Step 2 - Prisma Access Integration

  1. Enable external connectivity to Prisma Access.
    1. Select Go to Explicit Proxy settings.
    2. This takes you to WorkflowsPrisma Access SetupExplicit Proxy .
    3. Enable the Prisma Access Browser.
    4. Done.
  2. Allow the Prisma Access Browser in the Prisma Access security policy.
    1. Select Manage > Prisma Access > Security Policy.
    2. This takes you to ManagePrisma AccessSecurity Policy.
    3. Add a rule that allows web traffic in your security policy.
    4. Push configuration to accept the rule.
    5. Done.
  3. Create a service connection.
    1. Select Create a service connection.
    2. This takes you to WorkflowsPrisma Access SetupService Connections and Add Service Connection.
    3. Done.
    4. Next: Routing.

Step 3 - Routing

The Routing control allows you to manage the way that the Prisma Access Browser handles network traffic. This feature sets up the default configuration for Prisma Access Browser. If you need to adjust the granularity of the control for a specific Rule, refer to Browser Customization Controls for traffic flows .
  1. Choose one of the following Traffic Control options:
    If all browser traffic is configured to be routed through Prisma Access, then this configuration is ignored.
    • Only route private application traffic through Prisma Access.
    • Route all traffic through Prisma Access.
    • Do not route traffic through Prisma Access.
    The Traffic Control option appears only of the Pisma Access Licensing exists.
  2. (Optional) Ensure that the Prisma Access Browser traffic flows in an optimal manner when the browser detects it's running within the internal network. This identification is based on establishing a connection with a host that is only available inside the internal network.
    • Enter the FQDN to resolve.
    • Enter the expected IP address.
  3. Choose whether or not to identify the internal network by detecting if the Global Protect or the Prisma Access Agent is running on the device.
  4. Choose whether or not to enable Agent detection on your network.
    • Toggle on - Enable Agent Detection.
    • Toggle off - Disable Agent Detection.
    Next: Enforce SSO applications.

Step 4 - Enforce SSO Applications

It's important that the only way your users can authenticate on SSO-enabled applications is by using the Prisma Access Browser. This will ensure that external actors will have no access to your enterprise applications. To select your IdP:
  1. In the Choose and configure your identity providers, select the available IdP. The options are:
    • Okta
    • Microsoft Azure Active Directory
    • PingID
    • OneLogin
    • VMware workspace ONE Access
  2. When you configure your local settings, be sure to take note of the egress IP addresses.
  3. Next: Download and distribute.

Step 5 - Download and Distribute

You can download the Prisma Access Browser installation files to test on your own device before sending it out to your users. Once you're satisfied with your tests, you can download the relevant installer to be distributed by your mobile device management (MDM) application.
You can also send your users the download link so that they can download the Prisma Access Browser on their own. This is a single link for macOS and Windows users only.
  1. Select from the available options:
    • Desktop:
      • macOS
      • Windows
    • Mobile:
      • iOS
      • Android
    You can also send your users the download link so that they can download the Prisma Access Browser on their own. This is a single link for macOS and Windows users only.
    If you send your users the download link, remind them that they can only log in with the email that is configured in the IdP service.
  2. Next: Browser Policy.

Step 6 - Browser Policy

You can now begin to explore and configure the Prisma Access Browser Policy Engine to create a safe and secure user environment.
  1. Select Browser Policy.
  2. This directs you to ManageConfigurationPrisma Access BrowserPolicyRules.
  3. Manage Prisma Access Browser Policy Rules.

Onboard New Users

The Onboarding workflow is a configurable series of windows displayed when a new end user starts using the browser.
Based on the IT needs and requirements, you can select up to eight individual pages that allow the end users to customize the browser with their pictures and bookmarks, and to find out some basic information about the browser – a sort of “Quick-Start” guide.
The Onboarding Wizard customization control configures the Onboarding workflow. You can select which windows will be displayed in your network.
You configure this in ManageConfigurationPrisma Access BrowserPolicyProfiles when you create or edit a Browser Customization profile and choose Onboarding Wizard. For configuration details, see the Browser Customization Controls for the Onboarding Wizard.